Clinical Pathology Laboratories (CPL) is the latest victim of a data security breach at the billing collections service American Medical Collection Agency (AMCA).
Some 2.2 million patients may have had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information stolen, CPL said in a press release.
CPL learned of the breach involving the AMCA payment website after being contacted by the company. The incident is limited to the AMCA’s systems.
As an independent collection agency, the AMCA is used for debt collection by CPL, as well as other labs and healthcare providers. The security of CPL’s systems was not affected by the incident, the release indicated.
Austin, Texas-based CPL said in the release that it blames the AMCA for not providing more details when the breach was initially discovered in May. Although the AMCA notified CPL about the incident at that time, it wasn’t enough to identify potentially affected patients or to confirm the nature of patient information potentially involved.
CPL noted that they take the security of its patients’ information very seriously, including the security of data handled by vendors. CPL is no longer using the AMCA for collection efforts and is conducting its own investigation.
The AMCA’s eight-month breach was first disclosed in June when news broke that 11.9 million Quest Diagnostics and UnitedHealth Group patient records were exposed. Days later, 7.7 million LabCorp customers were compromised.
The AMCA has advised CPL that patients’ Social Security numbers were not involved in the incident. CPL said it does not provide the AMCA with healthcare records such as laboratory results and clinical history.
In response to the breach, the AMCA sent notification letters to approximately 34,500 CPL patients. In addition, based on AMCA’s investigation and other information it provided, CPL estimated that approximately another 2.2 million patients may have been affected by the incident.
The impact of this incident is limited to patients whose accounts were referred for debt collection and who reside in the United States.